Day: February 6, 2019

Facebook head of communications Caryn Marooney is leaving for greener pastures, she announced today, on Facebook of course. She joins the growing number of executives and high-level employees departing the company during and after what may be its toughest year.

“I spent a lot of time over the winter holiday reflecting, and with the New Year, and after 8 years at Facebook, I’ve decided to step down as leader of the communications group,” Marooney wrote. “I’ve decided it’s time to get back to my roots: going deep in tech and product.”

She thanked CEO Mark Zuckerberg and COO Sheryl Sandberg, with whom she worked closely. The former commented to thank Marooney “for the dedication and brilliance you have brought to Facebook over the years.”

Certainly she saw Facebook during a period of intense growth and transition, though arguably the company’s entire history has been marked by those traits. But 2011’s Facebook was remarkably smaller and less complex — operationally, ethically and legally — so to have gone from that middle stage to the present must certainly have been quite a ride.

Marooney is just the latest in what seems like a constant of high-profile departures over the last year:

GoPro Inc reported its first profit in five quarters on Wednesday and topped Wall Street estimates for revenue, as it cut costs and saw strong demand for the latest action cameras from its flagship HERO line.

LibreOffice, an open source clone of Microsoft Office, has patched a bug that allowed attackers to execute commands of their choosing on vulnerable computers. A similar flaw in Apache OpenOffice remains unfixed.

Austrian researcher Alex Inführ publicly reported the vulnerability on Friday, shortly after it was fixed in LibreOffice. His disclosure included a proof-of-concept exploit that successfully executed commands on computers running what was then a fully patched version of LibreOffice. The only interaction that was required was that the target user hover over an invisible link with a mouse. On Wednesday, researcher John Lambert provided additional PoC samples.

The chief vulnerability exploited is a path traversal that allowed the attack code to move out of its current directory and into one that contained a sample Python script that LibreOffice installed by default. That allowed Inführ to invoke the cmd command on the vulnerable computer. The researcher then exploited a separate weakness that allowed him to pass parameters of his choice to the command.

Match Group Inc beat Wall Street estimates for fourth-quarter revenue and profit on Wednesday as its popular dating app, Tinder, attracted more subscribers, sending its shares up as much as 12 percent in extended trading.

At the tail end of its shareholder letter for Q1 2019, Sonos disclosed that the company’s chief financial officer, Mike Giannetto, will be retiring “later this year.” Giannetto has been with Sonos for seven years, helping to guide the company through its IPO back in August of 2018.

As for who will take over the role: Sonos isn’t sure yet. They’ve hired a search firm to help them find a new CFO, but CEO Patrick Spence writes that Giannetto “will help with that search and be around as long as we need him to ensure a smooth transition.”

Sonos stock dipped by about 17 percent immediately after the news was announced (from $12.37 at market close to $10.42 after hours) but has climbed its way back up a bit to around $11.76 per share.

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.